An Introduction to Hiding your OpenVPN Traffic

It is worth noting that internet restrictions have tightened around the world. Governments are more concerned about the use of OpenVPNs and are doing whatever it takes to outwit their restrictions. China’s Great Firewall has been quite effective at this point and has managed to block various VPN providers within and outside China.

It goes without saying it is impossible to see data being encrypted in VPN tunnels. Sophisticated firewalls make effective use of DPI (Deep Packet Inspection) techniques that are able to resolve any and all encryption techniques being used including SSL encryption as well.

There are many solutions to the problem at hand but most of these require a technical know-how of server configurations. The purpose of this article is to introduce to the various options that are available at your disposal. If you are concerned about hiding your VPN signals and if Port 443 forwarding is lacking then you need to contact your VPN supplier to ensure they are willing enough implement any of the solutions mentioned below.

Forwarding Port through TCP port 443

Being one of the easiest ways, it can be taken care of without any difficulties whatsoever. You will not require server-side technical expertise which should work in almost all cases in order to forward your OpenVPN via port 443.

You need to keep in mind that OpenVPN by default uses TCP port 80. Normally, firewalls are responsible for supervising port 80 and reject encrypted traffic which tries to make use of them. In the case of HTTPS, port 443 is set as the primary port by default. The port is mostly used all over the web by giants like Twitter, Banks, Gmail and other web sources.

OpenVPN like HTTPS use SSL coding and are relatively difficult to identify with port 443. Blocking the port would strictly wipe out access to internet and as a result is not a practical option for web censors.

Forwarding the port is universally supported by almost any OpenVPN client thus making it incredibly simple for you to change port 443. In case your VPN provider does offer such a client then you should contact them immediately.

Regrettably, OpenVPN does not make use of standard SSL and considering the Deep Inspection techniques used in countries like China, it is easier to tell whether encrypted traffic is real. If this is the case, then unconventional means will need to be considered to avoid detection.

Obfsproxy

The server effectively encloses data in an obfuscation layer which makes it harder to identify whether an OpenVPN is being used. The strategy was recently adopted by Tor in order to tackle China and its measures to block access to public Tor networks. It is self-governing and can easily be encrypted by OpenVPN.

Obfsproxy needs to be installed on the client’s computer as well as the VPN server. That being said, it is not as secure in comparison to other tunneling methods neither does it enclose traffic in coding, but it does have a lower bandwidth overhead. This makes it an effective option for users in places like Syria or Ethiopia, wherever bandwidth is in grave supply. Obfsproxy is relatively easy to configure and set-up which is a plus.

SSL Tunneling for OpenVPN

A Secure Socket Layer (SSL) channel can individually be used as an effective substitute to OpenVPN. Many proxy servers use it to protect their connections. Additionally, it completely hides the use of OpenVPN. Since OpenVPN uses TLS or SSL encryption, it is completely different from the usual SSL channel and is easier to detect by complicated DPIs. To avoid this, it would be wise to hide OpenVPN data in an extra layer of coding as DPIs are not able to penetrate the outer layer of SSL channels.

Conclusion

It goes without saying that OpenVPN looks no different from the usual SSL traffic without deep packet inspection. This is further reinforced if the OpenVPN is routed through TCP port 443. But then again, countries like China and Iran are adamant at controlling their local population’s access to the internet. Interestingly, they have some of the most technically impressive measures in place to detect hidden traffic. Not only can this get you in trouble but it is an even better reason why you should take the aforementioned factors into consideration.